why tom why:
> @ https://labs.riseup.net/code/issues/9832 @ Explain the security
> drawbacks of DVD
>
> Greetings, skillful developers of TAILS,
>
> This msg is not intended to solve the issue but contribute to shaping
> the security of TAILS DVD/USB.
That's always welcome.
> 1. sha512sum hashes or better for all fixed files on the system,
> excluding files like /var/log/* which change. A simple script would
> do. Include an option/icon in Applications\System Tools for this.
> Maybe offer the option to 'refresh' the checksum database with a
> download from TAILS website. Include checksums for updates, too.
Note that you can't verify the authenticity of a Tails device from
itself. As it doesn't work to ask someone whether she is trustworthy.
See
https://tails.boum.org/support/faq#integrity.
So this would have to be done from another trusted system.
See also
https://labs.riseup.net/code/issues/7496 for initial ideas.
Feel free to elaborate and work on that on them either in the ticket or
on the list. Such tools should be built outside of Tails, so they can be
worked on by people with little to no knowledge of the internals of the
project.
> 2. Tighten up some of the content of sysctl.conf - eliminate source
> routing and some other naughties (see old but faithful Tiger program
> and/or Lynis program results and their warnings/suggestions).
>
> 3. Paranoid mode: include scripts (like Rook Security have offered)
> to scan for potential HT/RCS infection. Doubtful, but why not.
>
> Include a list of known malicious checksums from various Linux
> malware, especially newer APT attacks. Similar to the *update* the
> 'rkhunter' package provides. Who knows, like MAT, this could become
> another useful standalone tool!
Same here, checking for root kits implies that you are trusting your
system to be able to detect them (or trusting the root kits for not
hiding themselves too well).
Otherwise, solving #7496 would have the same benefits.
